RADIUS Server for Enterprise Networks

Explore the history of RADIUS, its role in PPP, its integration with 802.1X for wireless LANs, and the use of EAP in enhancing network security.

RADIUS Server for Enterprise Networks
Photo by Daniil Silantev / Unsplash

Hello World! In the previous post, you have learnt that to secure an enterprise network various standards and tools are employed by the network admins. But what exactly are those components and tools? What do they do? Why different schemes and methods are implemented? So many questions and that too are interlinked (I hate it the most).

If you have any of these questions and want to learn more about them, you are on right track, I will be discussing the most important component that is widely used in the Enterprise Wireless Security today in this post which implements Authentication, Authorisation and Accounting service, RADIUS server.

Of, let's starts with a question, that will give you an idea of what RADIUS and why it is used.

You are developing a cool e-commerce website, would you focus more on building the authentication and authorisation logic for onboarding your users or rather delegate this to another service like Auth0, Google Identity Platform and AWS Cognito and focus more on the things that are more business oriented?

Yes! The correct answer is focus on business oriented feature.

If you aren't a developer or didn't get it anyhow, I will explain it under specific sections below.

What is RADIUS

RADIUS is an abbreviation of Remote Authentication Dial-In User Service which was created long time ago for point-to-point (PPP) links, even before the existence of the very first WiFi standard.

As the internet grew, more endpoints existed on the network and ISPs came into the picture who had to install the point of presence near their customer's locations for which a centralised single source of truth was needed where all the authentication credentials would be stored. Users can now access the internet from any location where the ISP's point of presence (POP) is available by entering their login credentials. These credentials are verified by the RADIUS authentication server, which then instructs the Network Access Server to permit the user to transmit packets to the internet.

Interaction between Dial-in User and the RADIUS Client and Server
User authentication process in high level – Taken from https://www.cisco.com/
  1. A user first notified the authenticator to initiate the login session.
  2. Authenticator asks for the identity (username) and proof (password) from the user
  3. User (supplicant) responds with the information asked.
  4. The authenticator takes that response and pass it transparently to the RADIUS server.
  5. Upon verifying the details, RADIUS will return a successful or failure response.
Before that the PPP provided authentication mechanisms like PAP and CHAP were used, which were considered insecure.

Is it a Protocol or Product?

Understanding this aspect can be difficult for many users, as it is frequently misunderstood online. Here's a simple explanation: In this context, a server refers to software that implements specific logic and provides an interface for interaction.
RADIUS serves two primary functions. For starters, it establishes a standard set of capabilities that authentication servers must provide. Second, it defines a protocol that allows devices to use these capabilities. When we say RADIUS server, we mean the component of the authentication server that supports RADIUS capabilities. When we talk about RADIUS, we typically mean the protocol used to communicate with the server.

You will see that extending RADIUS for EAP was simple to add EAP-Message attribute, in the list of available attributes of the RADIUS packet format.

Motivation to Incorporate this in WiFi World

The architecture of the WLAN is somewhat similar to that of wired/Ethernet world. The extension of PPP protocol to Ethernet, PPPoE, can be used for carrying the wireless frames. Therefore, instead of creating everything from scratch, transmitting the existing packets through wireless frame seems to be the most appropriate and efficient decision given the situation at that time.

Treating different wireless devices individually – Fig 8.6 Real 802.11 Security

Using the unicast transmissions based on Transmitter and Receiver MAC addresses in the frame, the IEEE team treats each wireless connection between the device and the access point as if it were an independent connection. That means, After the first device is authenticated, the second device must repeat the process, even if you use the same user credentials on both devices. Similar to database normalisation, this approach centralises repeated data to a single source of truth.

As per 3.3 section of RFC 3748, IEEE 802.1X encapsulates EAP over LAN protocols, not point-to-point protocols, therefore it is not possible to negotiate non-EAP authentication mechanisms, like PAP or CHAP, which were possible in plain old PPP protocol during authentication phase.

Why EAPoL is Required?

In previous discussions, we established that EAP frames only contain authentication-related information, including status, and must be carried over some Layer 2 transmission protocol. The challenge is to transmit these frames over a LAN between the supplicant and the authenticator.

IEEE 802.1X addresses this issue by defining a protocol called EAP over LAN (EAPOL) to facilitate the passing of EAP messages between the supplicant and the authenticator. Beyond just carrying EAP messages, the committee decided to enhance EAPOL to perform additional management tasks related to authentication, such as notifying the authenticator to initiate the authentication session with EAPOL-Start. Consequently, more messages were added to support these functions.

Not all EAPOL frames carry EAP messages; some of them are used for administrative and management tasks. You will see the important ones in the following section.

The EAPoL-Start Frame

When the supplicant wants to connect to the network, it first needs to know whether the network is reachable in its proximity or not. For this purpose, the supplicant broadcasts multicasts EAPOL-Start frame to the IEEE 802.1X reserved MAC address (01:80:C2:00:00:03). If the authenticator receives this frame, it then responds with EAP-Request/Identity to ask for the supplicant identity, which can be a username.

RADIUS Packet Format

The RADIUS packets encapsulated in the UDP packets and the ports are reversed in the response packets.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |     Code      |  Identifier   |            Length             |
   |                                                               |
   |                         Authenticator                         |
   |                                                               |
   |                                                               |
   |  Attributes ...

Radius packet format as taken from RFC 2865

  • Code field is used to identify the intent of the packets in the RADIUS, for example the associated value of the Access-Request, Access-Response and etc goes here
  • Identifier field usually increments for each request-response cycle to associate the response for the request. This helps in making the transmission asynchronous and handle concurrent requests (earlier RADIUS was single-threaded)
  • Length field, as you may know, contains the length of the RADIUS packet including the Code, Identifier, Length, Authenticator and Attribute fields.
  • Authenticator field is 16 octet (bytes) is used to authenticate the reply from the RADIUS server, and is used in the password hiding algorithm. It is the shared secret between client (authenticator here) and the server to provide further encryption in the transmission for the authentication process.
  • Attributes field contains additional authentication-related information such as usernames from EAP-Request/Identity packets, passwords, and challenges. They can also include EAP-related details and vendor-specific information. It is similar (not exactly) to the Tagged parameters in the Beacon/Probe frames.

EAP Packet Format

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |     Code      |  Identifier   |            Length             |
   |    Data ...

EAP Packet Format as taken from RFC 3748

The data field can be sub-divided into Type and Type-Data fields for Request and Response values in the Code field.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |     Code      |  Identifier   |            Length             |
   |     Type      |  Type-Data ...

EAP Packet format for Request/Response transmitting specific method

  • Code field is used to convey the intent of the packet to the port access entity it is destined to. Since EAP only defines Codes 1-4, EAP packets with other codes MUST be silently discarded by both all PAEs.
1 Request An EAP Request packet is sent by the authenticator (NAS) to the supplicant (client) to request information or to start the authentication process.
2 Response An EAP Response packet is sent by the supplicant to the authenticator in reply to a Request packet. The Response packet contains the information requested by the authenticator, such as the user's identity or the authentication data required for the specific method being used.
3 Success An EAP Success packet is sent by the authenticator to the supplicant indicating that the authentication process has been successfully completed. This means that the client has provided valid credentials and is now granted access.
4 Failure An EAP Failure packet is sent by the authenticator to the supplicant to indicate that the authentication process has failed.
  • Identity field here has same role as in RADIUS packet, to match the request and response. It MUST be kept same when retrying the same packet.
  • Length field is the total length of the EAP packet including Code, Identifier, Length and Data.
  • Data field may carry the information related to the EAP method that is being used to negotiate the authentication details like identity, password and etc. If the Code is 3 or 4, this field is not populated at all because the status codes are sufficient to deduce the meaning of the packet.
    • Type field is used to classify what information is being requested by the authenticator and sent by the supplicant. Some of the values are defined in the Section 5 of EAP RFC 3748 and others (that came after the RFC) are assigned by IANA.
    • Type-Data field contains the actual authentication data related to the selected EAP-Type (method).
Based on the priority list, the authenticator will request the supplicant to use a specific method for credential negotiation. If the supplicant doesn't support the method, it responds with a NAK Type, allowing the authenticator to try the next method or terminate the authentication session.


The RADIUS protocol is used alongside EAP, with EAP providing the authentication mechanisms and RADIUS handling the encapsulation of EAP packets and accounting services. While RADIUS includes built-in support for authentication, it is limited in incorporating various existing or emerging authentication methods such as LDAP and OTP.

Currently, RADIUS functions as a data repository for user accounts, storing user credentials and access list entries. These entries are retrieved through the implementation of an EAP method and verified against the database; if they match, RADIUS responds with an accept message, otherwise, it responds with a reject message. The presence of EAP-Message in the forwarded frames tell the RADIUS server to EAP method.

In the RFC 3579, a new attribute called EAP-Message was added which was used to encapsulate the EAP messages for the RADIUS without authenticator knowing the underlying format of the EAP method. This same thing was incorporated in the wireless LAN.

EAP-Packet data is sent in the EAP-Message attribute of RADIUS packets.
Extensible Authentication Protocol (EAP) :: The FreeRADIUS project - Documentation
Think of EAP as a Passport.js implementation for the RADIUS authentication system.

The supplicant sends the EAP packet to the authenticator because RADIUS server is generally accessible only to authenticator via wired link and authenticator then extract the EAP payload can then extract the EAP payload and forward it to the authentication server transparently, typically inside a RADIUS packet.

EAP was initially designed and develope for the PPP (RFC 2284), then it was used with RADIUS (RFC 3579) and then with the LAN networks (IEEE 802.1X).

Flow of Frames During Authentication

Different EAP methods have unique steps during authentication. I will now outline the generic steps common to most EAP methods using the analogy of a visitor as a supplicant, your kid as an authenticator and you as authentication server.

Taken from https://www.ieee802.org/
  1. EAPOL-Start is broadcasted by a supplicant if it didn't get EAP-Request/Identity from the authenticator as. This is similar to the visitor coming at your door and ringing the bell, notifying to start the authentication session.

    The Packet-Type value of this frame is 0x1.

  2. EAP-Request/Identity is sent by the authenticator to the supplicant in response to EAPOL-Start to request the identity for the connecting client. Similar to how your kid would ask the visitor to tell his/her name.

    It will be sent as EAP-Packet type and in the Code is set to 1. This is mainly used for selecting the EAP method to use for the supplicant.

  3. EAP-Response/Identity is sent by the supplicant to the authenticator providing its identity in the packet. It is when the visitor tells his/her name to your kid.

    Note $\to$ In the tunnelled authentication method, a supplicant may choose to send anonymous identity before tunnel is being initiated.

  4. Radius-Access-Request is sent from the authenticator to the authentication server, that is generally encapsulated on the Ethernet frames transparently passing value of the Identity from the EAP-Response/Identity packet. This is when your kid tells you that there is a person called John (assumed name) asking to join for the dinner.

  5. Radius-Access-Challenge is sent by the authentication server to the authenticator, including a plain text random message to be encrypted by the supplicant using the chosen EAP method. Since the supplicant cannot communicate directly with the server, this message is sent to the authenticator. The authenticator then extracts the information, encapsulates it into an EAP-Request/Auth, and sends the challenge to the supplicant. This is when you want to know more about the person so you tell your kid to ask the visitor which John he is.

  6. EAP-Response/Auth is then sent by the supplicant to the authenticator with excrypted message or the information proving the identity of itself, which is then relayed to the authentication server by the authenticator in the Radius-Access-Request packet. This is same as the visitor shares his surname or some exclusive information with you, via your kid.

  7. If the authentication server sends a Radius-Access-Accept message, the authenticator will respond with EAP-Success to the supplicant and initiate the four-way handshake by setting the Type field in EAPOL frames to 0x3 (EAPOL-Key). Conversely, If the server sends a Radius-Access-Reject message, the authenticator will respond with EAP-Reject, terminating the session immediately. This prevents any further interaction and denies network access to the supplicant.

With this analogy, the 4-way handshake occurs when John enters the hall and shakes hands with your child. Your child now remembers John, and the next time John comes, the child can allow him access to the hall without asking you. This is how the caching of the state of authentication of the supplicant in the authenticator to expedite the mobility of wireless devices as they move from one BSS to another.

When the supplicant wishes to disconnect from the BSS, it will transmit EAPOL-Logoff. This will tell the authenticator to transition the port from controlled to uncontrolled.

All the packets exchanges (name starting with Radius-) that happen between authenticator and the authentication server are private and supplicant has zero knowledge of that.

Authenticator is using Framed Service-Type in the Access-Request packet

Recall that the access point connects to the main router via Ethernet, requiring PPPoE to transmit frames. Therefore, Access-Request packets set Service-Type to Framed. This signals to the RADIUS server that the NAS believes the user prefers authentication and then enabling the controlled port.

This is what I believe at time of writing the post, if you find any other convincing information (with citations), please reach me out.

Simple Authentication using EAP-Identity

Imagine telling your kid that if Uncle John shows up or if the visitor says his name is John and has the secret password, they can let him into the hall. This way, checking his name and then granting access is like your kid playing security guard and allowing him access based on identity.

Similarly, EAP-Identity can be thought of as a very simple authentication method. Because it is the first packet transmitted by the supplicant, the authentication server can decide to allow the access without asking supplicant to prove its identity. For example, Guest login on windows, since the identity of guest is unknown it is often left password-less account. There would be at max 3 packets flow

  1. EAP-Request/Identity from the authenticator
  2. EAP-Response/Identity (sending John) from the supplicant
  3. EAP-Success from the authenticator

This way the supplicant can send a random or special identity masquerading its original identity to prevent it from the being stolen by the sniffing of wireless packets by the attacker. In fact, Protected-EAP (PEAP) uses EAP-Identity to send an anonymous identity initially (Outer/First Phase). Authentication then occurs within an encrypted TLS tunnel, ensuring that even the authenticator cannot see the details of the communication between the supplicant and the authentication server. Then it sends the real identity (Inner/Second Phase) and further authentication packets.

EAP-PEAP (Protected Extensible Authentication Protocol), creates an encrypted TLS tunnel withing which the supplicant’s inner identity is validated. Sometime it is referred as EAP within EAP.…

What is the Point of Accounting?

I shared your initial doubts about the role of accounting in RADIUS. Initially, it seemed logical to use RADIUS solely for authentication while handling accounting and logging with an external server. However, RADIUS was specifically designed to simplify the operations of ISPs by facilitating user authentication on PPP links. This need for integrated billing and resource management led to the inclusion of accounting features in RADIUS, providing a comprehensive one-stop solution for authentication, authorisation and accounting.

After successful authentication and enabling the controlled port for the supplicant, the authenticator may send Radius-Accounting-Request packet to the authentication server including the supplicant information to start the accounting session for it. On success, the server must respond with Radius-Accounting-Response as acknowledgement.


RADIUS - Wikipedia
What is the Point-to-Point Protocol over Ethernet (PPPoE) network protocol?
Learn how the Point-to-Point Protocol over Ethernet (PPPoE) network protocol works, its role in network communications and how it differs from DHCP.
EAP Methods
RADIUS Concepts
Wireless Security Fundamentals > Security | Cisco Press
<p>This sample chapter from<em> Understanding and Troubleshooting Cisco Catalyst 9800 Series Wireless Controllers</em> covers the security aspects of the Catalyst 9800 controller. The biggest aspect revolves around AAA, which is either locally handled by the controller or delegated to an external RA…
RFC 3579: RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)
This document defines Remote Authentication Dial In User Service (RADIUS) support for the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication mechanisms. In the proposed scheme, the Network Access Server (NAS) forwards EAP packets to and from…
What’s the difference between RADIUS and 802.1X Port-Based Authentication?
As long as I know RADIUS is a type of authentication protocol, where for example if someone wants to use a switch, it first of all needs to enter his/her credentials, and properly authenticate hims…
Extensible Authentication Protocol (EAP) :: The FreeRADIUS project - Documentation
Name EAP-Message Synopsis Attribute Number 79 Length 3 or more octets Value STRING Allowed in Access-Accept, Access-Reject, Access-Challenge, Access-Request Prohibited in Accounting-Request, Accounting-Response Presence in Packet Not required Maximum Iterations … - Selection from RADIUS [Book]
How and where RADIUS and EAP combine?
I have been reading a little bit about authentication methods. I have read about RADIUS and about EAP. I just don’t understand the connection between them. RADIUS is a authentication protocol whic…
RFC 2284: PPP Extensible Authentication Protocol (EAP)
The Point-to-Point Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over point-to-point links. PPP also defines an extensible Link Control Protocol, which allows negotiation of an Authentication Protocol for authenticating its peer before allowing Network Layer pro…
Examine how the RADIUS Works
This document describes what a RADIUS server is and how it works.
RFC 2865: Remote Authentication Dial In User Service (RADIUS)
This document describes a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server. [STANDARDS-TRACK]
RFC 2866: RADIUS Accounting
This document describes a protocol for carrying accounting information between a Network Access Server and a shared Accounting Server. This memo provides information for the Internet community.
Name Service-Type Synopsis Attribute Number 6 Length 6 Value ENUM Allowed in Access-Accept, Access-Request Prohibited in Access-Reject, Access-Challenge Presence in Packet Not required Maximum Iterations 1 This attribute describes the … - Selection from RADIUS [Book]
What is the Point-to-Point Protocol over Ethernet (PPPoE) network protocol?
Learn how the Point-to-Point Protocol over Ethernet (PPPoE) network protocol works, its role in network communications and how it differs from DHCP.
Knowledge Base - Understanding 802.1X
Understanding 802.1X The 802.1X is a specification that defines EAP (Extensible Authentication Protocol) over LAN. This is also known as EAPOL. EAP is an authentication framework with supports multiple authentication methods. It is defined in RFC 3748. EAP defines three terminologies: Supplicant:
EAPOL :: Chapter 8. Access Control: IEEE 802.1X, EAP, and RADIUS :: Part II: The Design of Wi-Fi Security :: 802.11 security. wi-fi protected access and 802.11i :: Networking :: eTutorials.org
EAPoL Protocol | Extensible Authentication Protocol over LAN
EAPoL Protocol or Extensible Authentication Protocol over LAN is a generic network sign-on method for IEEE 802.1X Port Based Network Access Control.
EAPoW - Extensible Authentication Protocol over Wireless
EAPoW - Extensible Authentication Protocol over Wireless (IEEE 802.11) delivers session WEP keys to wireless network users
Extensible Authentication Protocol (EAP) Registry